I want my mobile clients to use less CPU power and use less network bandwidth and therefore want to use an ECC certificate for Azure Mobile Apps
How do I generate an ECC based certificate for use with Azure Mobile?
Asked
Active
Viewed 783 times
2 Answers
1
There is no need in OpenSSL at all. If you can use Microsoft CA, use it to request the certificate (via Certificates MMC snap-in). To use external CA, you can create certificate request by using certreq.exe tool. Create the following INF template:
[NewRequest]
Subject="CN=<subject>"
KeyAlgorithm=ECDH_secP384r1
ProviderName="Microsoft Software Key Storage Provider"
KeyLength=384
Exportable=True
MachineKeySet=false
KeyUsage=0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
OID=1.3.6.1.5.5.7.3.2 ; Client Authentication
and run the command:
certreq -new path\inffile.inf path\outrequest.req
output request file can be submitted to CA server.
Alternatively, you can use New-SelfSignedCertificate PowerShell cmdlet to create self-signed certificate. The syntax would be something like this:
New-SelfSignedCertificate -Subject "CN=<Subject>" `
-KeyAlgorithm ECDH_secP384r1 `
-CertStoreLocation cert:\currentuser\my `
-KeyExportPolicy Exportable `
-Type SSLServerAuthentication
<...>
provide other parameters if necessary.
Crypt32
- 6,414
- 1
- 13
- 32
-
It is just an option. If you have a PKI, use it to request the certificate. Like I said in the response. – Crypt32 Dec 08 '16 at 23:53
-
no, it can't. See post update to learn how to generate certificate request on Windows by using built-in tools. – Crypt32 Dec 10 '16 at 17:44
-
Awesome, I've been looking for the certreq syntax for a while – makerofthings7 Dec 10 '16 at 23:07
0
To generate an ECC key you need to use OpenSSL. MSFT doesn't support this bit length in Web Apps at this time.
The process for creating this certificate is:
validhost:~ lamont$ openssl ecparam -genkey -name secp384r1 | openssl ec -out ec384.key
read EC key
writing EC key
validhost:~ lamont$ openssl req -new -key ec384.key -out ec384.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:San Francisco
Organization Name (eg, company) [Internet Widgits Pty Ltd]:VALID LLC
Organizational Unit Name (eg, section) []:Technology
Common Name (e.g. server FQDN or YOUR name) []:moonlight.social
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
validhost:~ lamont$ cat ec384.csr
Take the output of the CSR and get the signed certificate. Then run the following commands to convert the files into a PFX... compatible with Azure:
openssl pkcs12 -export -out your_pfx_certificate.pfx -inkey
your_private.key -in your_pem_certificate.crt -certfile CA-bundle.crt
makerofthings7
- 8,821
- 28
- 115
- 196
-
And how symmetric ciphers are related to asymmetric key in the subject? – Crypt32 Dec 08 '16 at 23:24
-
-
The part about supported ciphers is irrelevant here and makes no sense. You can simply remove this. – Crypt32 Dec 09 '16 at 00:09